Image: Supplied
The UAE banking sector stands at a pivotal moment in its digital transformation journey. As one of the most technologically advanced banking markets globally, the region faces both unprecedented opportunities and evolving security challenges.
Recent regulatory changes from the Central Bank of the UAE (CBUAE) are reshaping the landscape, requiring financial institutions to rethink how they protect customers and maintain trust.
Beyond SMS and OTPs
For years, SMS and email one-time passwords (OTP) have served as the backbone of digital authentication across banking channels. These methods, while convenient, are increasingly vulnerable to sophisticated threats such as SIM swapping, phishing, and malware interception. According to industry data, SIM swap attacks and phishing remain among the top fraud vectors, with malware capable of intercepting SMS OTPs on compromised devices. The result: higher fraud losses, more disputes, and reputational risk for banks.
Recognizing these risks, the CBUAE has mandated a phased transition away from SMS and email OTP for sensitive operations, including online card transactions, payments, account updates, and device provisioning, with an exact deadline set for March 31, 2026.
It is essential to note that SMS OTP remains a valid solution and continues to play a crucial role in the region’s digital banking ecosystem. The shift is not about discarding SMS OTP, but about elevating security standards for high-risk transactions.
Push-based authentication: Security meets user experience
UAE banks are already adapting, and many of them are no longer relying on SMS OTP to perform 3-D secure transactions. Leading banks have already begun informing customers that, in the coming months, these services will be discontinued and fully integrated within their mobile apps in the form of push-based authentication.
When a sensitive action is initiated, the bank triggers a secure push notification via its mobile app. Customers can review transaction details and approve with face ID, touch ID, or a secure app PIN, eliminating the need to type codes, reducing phishing risk, and removing dependency on telco routing.
This method is not only faster and more secure, but it also typically reduces OTP delivery costs and improves completion rates.
The business value of this transition is clear: customers benefit from a better user experience with one-tap approvals, banks achieve stronger security through device-bound and biometric authentication, and there is a clear path to regulatory compliance. Integration is straightforward – on one side, the mobile software development kit (SDK) binds the device and handles secure delivery, and on the other, the bank’s authentication server issues and validates challenges.
Recent data underscores the urgency and impact of these changes:
- 50 per cent of UAE consumers have fallen for a digital or payment scam, with 15 per cent being victims multiple times.
- 75 per cent of customers are willing to switch banks over inadequate fraud protection.
- According to our numbers, push notifications, as a primary channel, offer a secure and low-cost default for app users, while SMS remains essential for universal reach, boasting a 98 per cent open rate.
- WhatsApp serves as a high-trust fallback, with open rates exceeding 90 per cent and supporting two-way customer engagement.
Fraud prevention: Speed, security, and scale
Authentication is only the first step. Effective fraud prevention requires banks to communicate with customers instantly and seamlessly across multiple channels. Fragmented tools and manual resolution processes often lead to delayed responses, increased disputes, and higher operational costs.
Customers may bounce between apps, IVR, and email while losses grow. For example, imagine a customer receiving a suspicious login alert and quickly confirming it via push notification – or, if needed, being escalated to an in-app chat for immediate assistance.
A unified, automated communication platform enables banks to notify customers instantly, whether via push, SMS, or WhatsApp, using intelligent routing and failover to ensure every critical message reaches its intended recipient.
Automation is also transforming routine fraud scenarios. For example, “Was this you?” checks or suspicious login alerts can now be handled automatically, reducing resolution times and protecting margins. When escalation is needed, seamless handover to human agents through in-app chat or secure web calling ensures that customers receive timely, contextual support without having to repeat their issue or switch channels. Enhancements such as channel recommendations, send-time optimisation, behavioral segmentation, and intelligent failover are making fraud alerts more relevant, timely, and effective.
The result is a fraud prevention framework that is not only more secure but also more customer-centric.
Layered defenscs are vital. MNOs can utilise their network to support Mobile Identity APIs to deliver real-time, carrier-verified signals that reinforce and amplify existing controls for defense-in-depth – driving faster detection, stronger security, and fewer fraud attempts.
The direction for UAE banking is clear: security, compliance, and customer experience must advance together. As regulators raise the bar, banks have an opportunity to transform fraud management from a cost centre into a strategic advantage. By embracing strong authentication and unified communication, the industry can protect customers, foster trust, and accelerate digital growth. Ultimately, the move away from legacy OTP methods represents more than a compliance exercise – it’s an opportunity to redefine customer trust in the digital era.
As this evolution unfolds, it is essential for banks to partner with technology providers who understand both the regulatory landscape and the technical complexities of secure digital banking. With deep expertise in authentication, omnichannel communication, and fraud prevention, Infobip has been at the forefront of supporting financial institutions through this transition, helping them navigate new requirements while delivering seamless and secure experiences to their customers.
The writer is the head of Customer Success EMEA, Infobip.
